Link to home
Start Free TrialLog in
Avatar of Senx
Senx

asked on

Account Lockout Audit

Hi
I have a user that keep locking out in active directory
i used with the microsoft tools but no helpuel.
i configured audit policy via gpo in the domain controller level policy as follow:

Audit account logon events:  Success,Failure
Audit Account manament       Success,Failure
Audit Directory Service Access  Sucess
Audit Logon events               Success,Failure
Audit object Access                Success,Failure
Audit policy change                 Sucess
Audit Previlege use                 No auditing
Audit Process Tracking            No auditing
Audit System Events                Sucess

But again
When im trying to lock my username i cant find the audit that says account locked out

i have 3 domain controllers.

thanks

 

Avatar of arnold
arnold
Flag of United States of America image

you need to get the altools.exe http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
and.
You should see a security event on combination of DC's that locks the user out because of credential mismatch.

I.e. the user changed password, but is resuming a remote session that continuously runs in a terminal server.
The user has shared resources mapped with the old password control keymgr.dll.
The tool will let you locate the source from which this user's credentials are being submitted.
Avatar of Senx
Senx

ASKER

Hi
thanks fot your answer

i figure out with altools what machine locked me out

but i checked for sevices and schedualed tasks if there anything that ran on my account but non of them used my account

there is any ideas what can lock my account.?
Failed attempts to access resources using outdated credentials is the only thing.
When you say,  "i figure out with altools what machine locked me out" do you mean you found the system from which the failed requests were being made or are you talking about the DC that actually locked the account?
The DC is not the cause for the lockout it is a consequence of failed authentication attempts that were received by it.
You need to determine the system from which your username with the wrong password were being used and why.  Is that system a terminal server? Does your last password change correspond to when your account began to be locked out?  Do you have a laptop that is always on (hibernate) that you take with you and then connect into the LAN where you still use your old password to unlock/login into the laptop? If so, this is the source of your issue.
Avatar of Senx

ASKER

Hi
Thank you for your answer

yes i mean i found the system from which the failed requests being made .

the system is not a terminal server
xp sp3
not a laptop
ASKER CERTIFIED SOLUTION
Avatar of arnold
arnold
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial